query problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
g3ckO
Forum Contributor
Posts: 117
Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:

query problem

Post by g3ckO »

what wrong in the code below:

Code: Select all

<?php

session_start(); 
include("database.php");

$name =  $_GET['value'];

function extract_user() 
{  
   $query="SELECT * FROM employee WHERE username ='$name'"; 
   $result=mysql_query($query); 
   $row_array=mysql_fetch_array($result); 
   return $row_array; 
} 

   $row_array=extract_user(); 

   $Des=$row_array['EmpDes'];
   $Sno=$row_array['StaffNo'];

echo"$name";
echo"$Des";
echo"$Sno";
?>
I get the output for $name but not for $Des and $Sno
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Try:

Code: Select all

echo '<pre>';
print_r($row_array);
echo '</pre>';
..to check what's being returned.

PS: you should escape strings obtained from user input before using them in a query.
Last edited by McGruff on Sun Aug 07, 2005 11:55 pm, edited 1 time in total.
Breckenridge
Forum Commoner
Posts: 62
Joined: Thu Sep 09, 2004 11:10 pm
Location: Breckenridge, Colorado

Post by Breckenridge »

feyd | Please use

Code: Select all

tags when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


Try declaring your database variable as a global before selecting from database, this should work:

Code: Select all

<?php

session_start(); 
include("database.php");

$name =  $_GET['value'];

function extract_user() 
{  
   global $db; // <<<<<< use your database variable name

   $query="SELECT * FROM employee WHERE username ='$name'"; 
   $result=mysql_query($query); 
   $row_array=mysql_fetch_array($result); 
   return $row_array; 
} 

   $row_array=extract_user(); 

   $Des=$row_array['EmpDes'];
   $Sno=$row_array['StaffNo'];

echo"$name";
echo"$Des";
echo"$Sno";
?>

feyd | Please use

Code: Select all

tags when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
g3ckO
Forum Contributor
Posts: 117
Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:

Post by g3ckO »

for :

Code: Select all

<?php
echo '<pre>';
print_r($row_array);
echo '</pre>';
?>
nothing happened.

the second suggestion also doesn't work.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

uhm.. $name isn't a variable inside the function.
User avatar
ol4pr0
Forum Regular
Posts: 926
Joined: Thu Jan 08, 2004 11:22 am
Location: ecuador

Post by ol4pr0 »

hit me if i am wrong
->$name = $_GET['value'];
shouldnt u just use the global $_GET inside ure function ?

Code: Select all

function extract_user() 
{  
   global $db; // <<<<<< use your database variable name

   $query="SELECT * FROM employee WHERE username ='".$_GET['name']."'"; 
   $result=mysql_query($query); 
   $row_array=mysql_fetch_array($result); 
   return $row_array; 
}
User avatar
g3ckO
Forum Contributor
Posts: 117
Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:

Post by g3ckO »

This is where the value for $_GET['value'] come from:

Code: Select all

<?php
echo "<a href="leave_detail.php?value=$nama">$nama</a>";?>
And the following code return a blank page.

Code: Select all

<?php

session_start(); 
include("database.php");

function extract_user() 
{ 
global $conn;
$query="SELECT * FROM employee WHERE username ='".$_GET['value']."'";
$result=mysql_query($query);    
$row_array=mysql_fetch_array($result);    
return $row_array; 
}
    
$row_array=extract_user();    
$Des=$row_array['EmpDes'];   
$Sno=$row_array['StaffNo'];
 
echo"$Des"; 
echo"$Sno"; 
?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

first off, it's real real dangerous using $_GET right off like that. Second, make sure the query is running okay with some error checking and debug echo's. Make sure error_reporting is E_ALL and display_errors is on (in php.ini or through htaccess, do not trust in-page setting 100% of the time)
User avatar
g3ckO
Forum Contributor
Posts: 117
Joined: Mon Jul 12, 2004 2:57 am
Location: Malaysia
Contact:

Post by g3ckO »

Hmm.. Ok.. I think I have found the way to solve it..

But can you explain more about this:
feyd wrote:first off, it's real real dangerous using $_GET right off like that.
Why??
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Google: [google]sql injection[/google]
Post Reply